See below, Alex. Arshad Noor StrongAuth, Inc.
----- Original Message ----- From: "Alexander Klink" <[EMAIL PROTECTED]> The typical user does not have a client authentication certificate, so after installing one for him, the browser will send that out to anyone who is asking. My understanding of the TLS protocol is that the browser only sends the certificates signed by CAs that the server trusts; are you saying that the protocol allows for asking ANY certificate from the browser cert-store, regardless of who signed it? > And what happens to the users > who do not have have client-certs issued by this CA when they > attempt to connect to the site? Nothing, you can keep it configured as optional on the webserver. If so, how does the website track the client? Wouldn't client-auth need to be on for the tracking to work? _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
